Bugtraq mailing list archives
Re: Clarifying integer overflows vs. signedness errors
From: Pavel Kankovsky <peak () argo troja mff cuni cz>
Date: Sat, 25 Nov 2006 19:02:16 +0100 (CET)
On Tue, 21 Nov 2006, Steven M. Christey wrote:
I think of an integer overflow as being: "some computation (addition, multiplication) would produce an integer value that is too large to be stored in the actual memory location, so the integer wraps to some other value." (let's leave integer "underflow" out of this for the moment).
The passing of a signed variable called "len" to an unsigned parameter of copyout() is a (trivial) computation producing a value that does not fit into the target type. Negative values "wrap around" and monotonicity (length <= buffer size) is not preserved. IMHO these two classes of problems grow from one common root. --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ] "Resistance is futile. Open your source code and prepare for assimilation."
Current thread:
- Clarifying integer overflows vs. signedness errors Steven M. Christey (Nov 21)
- Re: Clarifying integer overflows vs. signedness errors Thiago Zaninotti (Nov 22)
- Re: Clarifying integer overflows vs. signedness errors Pavel Kankovsky (Nov 25)